Setting Up WPA2 Enterprise on a ZPE Gate Services Router with RADIUS Authentication

Setting Up WPA2 Enterprise on a ZPE Gate Services Router with RADIUS Authentication

Overview

This knowledge base article provides a step-by-step guide to configuring WPA2 Enterprise on a ZPE Gate Services Router, utilizing a pre-configured RADIUS server for secure wireless authentication. WPA2 Enterprise enhances network security by requiring individual user credentials, validated through a RADIUS server, rather than a shared passphrase. This setup is ideal for organizations needing robust access control and encryption for their wireless networks.

In this article, we assume the RADIUS server is already operational at IP address 192.168.1.5, configured with a user "User_A", password "password", and a RADIUS secret "secret". The wireless network will use the SSID wifi_secure. The instructions will focus on configuring the ZPE Gate Services Router to integrate with this RADIUS server, enabling secure authentication for wireless clients.

Prerequisites

A radius server is configured and reachable by the GSR
The user USER_A wiht a password "password" and a radius secret "secret" are configured in the Radius server that is fully operational and reachable.

The GSR has an ethernet connection to reach the Raidus Server and a WiFi interface as an Access Point.





Notes
NOTE:  In order for this set up to work, the RADIUS has to be available all the time, at least during the authentication phase for the user to be able to connect to the WiFii. If the server is not longer available but the user was connected and authenticated, the uses's session will continue to operate. If the user is then disconnected/reconnected or a new user tries to connect while the radius server is not available, the user will not be able to join the WiFi network.


GSR Configuration

Access the GSR and configure the WiFi AP, navigate to  Network :: Connections :: hotspot
Set:
WiFi SSID: Secure_Wifi
WiFi Security: WPA2 Enterprise
Method: PEAP
Radius server: 192.168.1.5 (for this example)
RADIUS port: leave defaul 1812 unless you configured a differnt port for this service
Shared Secred: secret (configured on Radius Server
Configure the Region and the WiFi Band

Configuring a Radius server


The following link provides information on how to set up a radius server and how to configure it.

User Accessing the WiFi with WPA2 Enterprise


When a user attempts to connect to the wifi_secure network on a ZPE Gate Services Router configured with WPA2 Enterprise and RADIUS authentication, the process unfolds as follows:
  1. Network Discovery: The user’s device (e.g., laptop or smartphone) scans for available Wi-Fi networks and detects the SSID wifi_secure.
  2. Connection Request: The user selects wifi_secure and initiates a connection. Since WPA2 Enterprise is enabled, the device prompts the user to enter credentials instead of a shared passphrase.
  3. Credential Submission: The user enters their RADIUS-assigned username (USER_A) and password (password), which are securely transmitted from the device to the GSR.
  4. RADIUS Authentication: The ZPE Gate Services Router forwards the credentials to the pre-configured RADIUS server at IP address 192.168.1.5, using the shared RADIUS secret (secret) to encrypt and authenticate the request.
  5. Server Validation: The RADIUS server verifies that the username USER_A and password password match its records. If valid, it sends an approval response back to the router.
  6. Secure Connection Established: Upon receiving approval, the GSR grants the user access, and the device negotiates an encrypted connection using WPA2’s AES encryption. The user is now securely connected to wifi_secure.
This process ensures that only authorized users with valid RADIUS credentials can access the network, providing a high level of security for wifi_secure.

If the GSR has access to the internet and the IPv4 forwarding is enabled, the use authenticated must be able to access the internet via the WiFi WPA2 Enterprise network.

    • Related Articles

    • RADIUS authentication and authorization

      RADIUS (Remote Access Dial In User Service ) provides central authentication for users. It is a client server protocol that runs on application layer. It can use either TCP or UDP as transport. Normally, all users have access to use all devices ...
    • Setting Up a Link Aggregation Group (LAG) Interface Between a Juniper EX2200 and a ZPE Systems Gate Services Router Using Fiber SFP

      Overview This knowledge base article outlines the process of configuring a Link Aggregation Group (LAG) interface between a Juniper EX2200 Ethernet switch and a ZPE Systems Gate Services Router using Fiber SFP modules. A LAG, also known as an ...
    • Radius Authentication and Authorization

      RADIUS (Remote Access Dial In User Service ) provides central authentication for users. It is a client server protocol that runs on application layer. It can use either TCP or UDP as transport. Nodegrid has an option that lets you to find devices ...
    • How to: Enable ZPE Cloud in a Nodegrid device

      ZPE Cloud is a powerful platform that allows you to manage your Nodegrid devices from anywhere in the world. In order to use the benefits of managing your Nodegrid devices through ZPE Cloud, you need to enroll the Nodegrid device to your company and ...
    • Setting up Remote Authentication methods in NodeGrid

      Note: this configuration applies only to software version 3.2.x and later.   With NodeGrid Software version 3.2.x, it is now possible to have multiple authentication methods.  Use Case In some networks, there may have more than one authentication ...